{"id":"MAL-2026-10169","summary":"Malicious code in paysafe-js (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (a1dc1a7847e47ee850fe8a4011ce83950962ab65cc742eb52919d13abe431e59)\npaysafe-js@1.0.0 impersonates a Paysafe payments SDK (package name, description \"Paysafe JavaScript SDK\", and repository URL github.com/paysafe/paysafe-js) but its index.js contains XOR+base64-obfuscated logic that harvests installer secrets. When a consumer invokes the SDK's payments/customers methods with an apiKey configured, the code enumerates process.env, selects keys whose names contain substrings like key/secret/token/pass/auth/api, truncates each value to 100 characters, and POSTs the collected values along with hostname, username, cwd, package name, and call metadata to a hardcoded remote host on port 8443. The C2 hostname is concealed via a base64 + char-shift(-5) + reverse pipeline; HTTP method, headers, path, and env-key filter substrings are hidden with a raw XOR key decoded from base64. A sandbox-evasion gate (CPU count and hostname/username substring checks) and a delayed setTimeout (~26 seconds) precede transmission. Any developer who integrates this package expecting the Paysafe SDK will leak the credential-shaped environment variables of their build or runtime environment to the attacker.\n","modified":"2026-07-10T19:16:57.075017448Z","published":"2026-07-10T18:37:30Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-07-10T18:37:30Z","id":"IN-MAL-2026-009700","sha256":"a1dc1a7847e47ee850fe8a4011ce83950962ab65cc742eb52919d13abe431e59","versions":["1.0.0"],"source":"amazon-inspector","import_time":"2026-07-10T19:02:48.420057646Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/paysafe-js/v/1.0.0"}],"affected":[{"package":{"name":"paysafe-js","ecosystem":"npm","purl":"pkg:npm/paysafe-js"},"versions":["1.0.0"],"database_specific":{"indicators":{"evidence_files":[{"path":"index.js","sha256":"615805652b2f006e69512b90d0d63883d7ae1ede69d86384fd77bd46235b2369","tlsh":"6a618230b1e9a53737b04fe18d7a44059d5e4c423d85b3a3b6ac78ce9a532e2d1d687c"},{"path":"package.json","sha256":"9ec3b25c938a9e2d035bfcf76ac1cd1f4919e04de3cbcc4aa0246d86d19173c8","tlsh":"22e02233ce908d2309b697918c358241b3712f1f68208c0fb6fb001c87626b709dab6c"}],"package_integrity":[{"filename":"paysafe-js-1.0.0.tgz","hashes":{"sha512_sri":"sha512-8wMpTm4NP0WBIqGAMtRCbIhOCTVCXskYRGVxkZBHfkW8zEOkoEZ3iUj9i5/NYbmV0Uo2t07+TKLdKcj/moF+8A==","sha1":"eef336670fda94ee5cfd32a83972bb3f73a0b49c"}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/paysafe-js/MAL-2026-10169.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}